News  Android

Google in "World's largest" software update

The Stagefright attack is the nightmare perfect storm for smartphone users because it doesn't need the user to do anything to succeed.  Most exploits need a user to at least install something first to compromise their handset, and are duly warned constantly against using apps from untrusted sources. The Stagefright vulnerability, however, was baked in from the day the smartphone left the factory door which means it's up to the manufacturer to fix it. Google have announced they are about to do this for all current Nexus models, which is easier for them since they directly control the OTA updates for those, and in partnership with all the major manufacturers in what has been dubbed the "World's largest software update" of just under a billion devices.

Stagefright video shows hack in action

Joshua Drake, the researcher from Zimperium who discovered the Stagefright vulnerability, has released a video showing how root can be silently gained from a handset. 

Once an attacker has root access, its basically game over for security on that device. This means all messages, contacts, photos and videos etc can now be accessed. Also, with root access, the hacker can install more malware, such as a keylogger, which could then send any entered passwords to a remote site, for example.

Joshua didn't just discover the exploit - he also wrote a patch to fix it and forwarded it to Google.

Stagefright uses MMS Video as the attack vector

Long considered the ugly child of mobile media, MMS came around as a way to send simple audio and short video files across handsets in the pre-smartphone era. It's actually an evolution of SMS, but has largely been superceded by the availability of direct links and transfers of rich media data via the mobile internet. MMS still relies on the GSM network to send its content, which is how Stagefright can attack a smartphone unprompted - all it needs is the targets phone number. The attacking MMS packages a malicious video designed to trigger a known weakness in the onboard video playback system, and since the video is played automatically when received, the target is compromised immediately, even if in sleep mode or pin locked in your pocket. Since remote code execution is being used, that code can also remove all traces of what it did, making detection even more difficult.

With so many users relying on their smartphones for daily tasks which require sensitive data, such as passwords, to remain secret, and with the upcoming financial applications Google has been developing, such as Google Pay, it's not surprising they have been quick to address such a dangerous weakness as soon as it was discovered.

How to prevent Stagefright

Stagefright is the name of the component in Android responsible for processing, playing and recording media content. It has wider uses than just playing back video - it can generate thumbnails from full size images, for example.

To guard against Stagefright, the immediate short term fix is to disable auto playing of MMS content. This is done by turning off the option to "Auto retrieve MMS" in the messaging app you've set to handle them - usually the default, Hangouts.

Longer term, the advice is to wait - if your device is current, a patch will be sent via OTA and you'll be safe. For older devices, you may be out of luck as the notorious fragmentation problem means manufacturers often don't support them.